I regularly see DNS queries that are not answered (or rather, our WiFi system sees them) and I decided to investigate it a bit. Some devices make regular queries like this:
Internet Protocol Version 4, Src: 192.168.244.58, Dst: 192.168.244.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport
(0)
Total Length: 79
Identification: 0xb3d8 (46040)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0x1d38 [correct]
[Header checksum status: Good]
[Calculated Checksum: 0x1d38]
Source Address: 192.168.244.58
Destination Address: 192.168.244.1
User Datagram Protocol, Src Port: 51209, Dst Port: 53
Source Port: 51209
Destination Port: 53
Length: 59
Checksum: 0x0000 [zero-value ignored]
[Checksum Status: Not present]
[Stream index: 2073]
[Timestamps]
[Time since first frame: 0.000000000 seconds]
[Time since previous frame: 0.000000000 seconds]
UDP payload (51 bytes)
Domain Name System (query)
Transaction ID: 0x000e
Flags: 0x0100 Standard query
0... .... .... .... = Response: Message is a query
.000 0... .... .... = Opcode: Standard query (0)
.... ..0. .... .... = Truncated: Message is not truncated
.... ...1 .... .... = Recursion desired: Do query recursively
.... .... .0.. .... = Z: reserved (0)
.... .... ...0 .... = Non-authenticated data: Unacceptable
Questions: 1
Answer RRs: 0
Authority RRs: 0
Additional RRs: 1
Queries
google.com: type A, class IN
Name: google.com
[Name Length: 10]
[Label Count: 2]
Type: A (Host Address) (1)
Class: IN (0x0001)
Additional records
[Malformed Packet: DNS]
[Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
[Malformed Packet (Exception occurred)]
[Severity level: Error]
[Group: Malformed]
It looks like a normal UDP query but wireshark says it is “Malformed” (without giving more detail)
RouterOS ignores it, so it probably thinks the same. The Transaction ID is always 0x0003, the queried name is always google.com. But there are other A queries to google.com that are OK and are answered.
Does anyone have an idea what this is for?